Over on OWASP's Intrinsic Security list, I brought up that HTTPOnly cookies should be better implemented across the major browsers. Jim Manico replied that he's been actively trying to get the browsers to implement (or better implement) HTTPOnly cookies and it became clear in talking with Yngve Pettersen that the lack of a specification for HTTPOnly was hindering browser vendors.
Out of that, we started a group to discuss and create the HTTPOnly cookie specification. If you're interested in participating, you can join here:
http://groups.google.com/group/ietf-httponly-wg
- Bil